10-14-2024, 04:15 AM
Hi everyone! I just passed with the help of this site after a while, and here's my summary -
I used this site to study 300 questions a day until I got 90% or better on my exam.
I also used a usb capture card and a second laptop mounted under the table with a 3d print to record my screen for post-game review.
I've taken the exam twice (780 score on the first try!), and here were the labs they gave me:
My labs are below. I put these in Claude.ai and ChatGPT and told it to quiz me. I'll reply in a comment with my ChatGPT prompt for reference.
Part 1 is here, part 2 is in a comment. Copy both parts for your notes.
CORRECTED ENARSI LABS PART 1:
### CoPP (Verified/Labbed Solution)
### Tasks
A network is configured with CoPP to protect the CORE router route processor for stability and DDoS protection. As a company policy, a class named class-default is preconfigured and must not be modified or deleted. Troubleshoot CoPP to resolve the issues introduced during the maintenance window to ensure that:
1. Dynamic routing policies are under CoPP-CRITICAL and are allowed only from the 10.10.X.X range.
2. Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1).
3. All devices ping (UDP) any CORE router interface successfully to/from the 10.10.X.X range and do not allow any other IP address.
4. All devices run a successful traceroute (UDP) to any interface on the CORE router to/from the 10.10.X.X range, are under CoPP-NORMAL, and do not allow any other IP address (make sure default traceroute TTL is accounted for). The traceroute is to be under CoPP-NORMAL (Hint: Traceroute port range 33434-33464).
### Solution
**CORE**
~~~~ip access-list extended COPP-CRITICAL
permit eigrp 10.10.0.0 0.0.255.255 any
permit eigrp any 10.10.0.0 0.0.255.255
permit ip 224.0.0.10 10.10.0.0 any
permit ip any host 224.0.0.10
ip access-list extended IMPORTANT
permit tcp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 22 telnet
permit tcp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 22 telnet
permit icmp 10.10.0.0 0.0.255.255 host 10.10.1.1
permit icmp host 10.10.1.1 10.10.0.0 0.0.255.255
permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1
permit udp host 10.10.1.1 10.10.0.0 0.0.255.255
ip access-list extended COPP-NORMAL
permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 33434 33464
permit udp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 33434 33464
---
### VRFs (Verified/Labbed Solution)
### Tasks
![sim-vrf-topology.png](https://prod-files-secure.s3.us-west-2.a...pology.png)
Configure individual VRFs for each customer according to the topology to achieve these goals:
1. VRF "cu-red" has interfaces on routers R1 and R2. Both routers are preconfigured with IP addressing, VRFs and BGP. Do not use the BGP network statement for advertisement.
2. VRF "cu-green" has interfaces on routers R1 and R2.
3. BGP on router R1 populates VRF routes between router R1 and R2.
4. BGP on router R2 populates VRF routes between router R1 and R2.
5. LAN to LAN is reachable between SW1 and SW3 for VRF "cu-red" and between SW2 and SW4 for VRF "cu-green". All switches are preconfigured.
### Solution
**R1**
conf t
vrf definition cu-red
rd 65000:100
address-family ipv4 unicast
vrf definition cu-green
rd 65000:200
address-family ipv4 unicast
interface e0/0
vrf forwarding cu-red
ip address 192.168.1.254 255.255.255.0
no shut
interface e0/1
vrf forwarding cu-green
ip address 192.168.20.254 255.255.255.0
no shut
interface e0/2
no shut
interface e0/2.100
vrf forwarding cu-red
ip address 10.10.10.1 255.255.255.252
no shut
interface e0/2.200
vrf forwarding cu-green
ip address 10.10.20.1 255.255.255.252
no shut
router bgp 65000
bgp router-id 1.1.1.1
address-family ipv4 vrf cu-red
neighbor 10.10.10.2 remote-as 65000
redistribute connected
exit-address-family
address-family ipv4 vrf cu-green
neighbor 10.10.20.2 remote-as 65000
redistribute connected
exit-address-family
wr
**R2**
conf t
vrf definition cu-red
rd 65000:100
address-family ipv4 unicast
vrf definition cu-green
rd 65000:200
address-family ipv4 unicast
interface e0/0
vrf forwarding cu-red
ip address 192.168.2.254 255.255.255.0
no shut
interface e0/1
vrf forwarding cu-green
ip address 192.168.22.254 255.255.255.0
no shut
interface e0/2
no shut
interface e0/2.100
vrf forwarding cu-red
ip address 10.10.10.2 255.255.255.252
no shut
interface e0/2.200
vrf forwarding cu-green
ip address 10.10.20.2 255.255.255.252
no shut
router bgp 65000
bgp router-id 2.2.2.2
address-family ipv4 vrf cu-red
neighbor 10.10.10.1 remote-as 65000
redistribute connected
address-family ipv4 vrf cu-green
neighbor 10.10.20.1 remote-as 65000
redistribute connected
wr
---
### OSPF (Mostly Verified Solution)
### Tasks
A network is configured with IP connectivity, and the routing protocol between devices started having problems right after the maintenance window to implement network changes. Troubleshoot and resolve to a fully functional network to ensure that:
1. Inter-area links have link authentication (not area authentication) using MD5 with the key 1 string CCNP.
2. R3 is a DR regardless of R2 status while R1 and R2 establish a DR/BDR relationship.
3. OSPF uses the default cost on all interfaces. Network reachability must follow OSPF default behavior for traffic within an area over intra-area VS inter-area links.
4. The OSPF external route generated on R4 adds link cost when traversing through the network to reach R2. A network command to advertise routes is not allowed.
### Solution
**R2**
conf t
interface e0/1
ip ospf priority 0
wr
**R4**
conf t
interface e0/0
ip ospf message-digest-key 1 md5 CCNP
ip ospf authentication message-digest
router ospf 1
redistribute connected metric-type 1
wr
**R5**
conf t
int e0/0
ip ospf message-digest-key 1 md5 CCNP
ip ospf authentication message-digest
interface e0/1
no ip ospf cost 60
wr
---
### DMVPN (Mostly Verified Solution)
### Tasks
A DMVPN network is preconfigured with tunnel 0 IP address 192.168.1.254 on the HUB, IP connectivity, crypto policies, profiles, and EIGRP AS 100. The NHRP password is cсnp123, and the network ID and tunnel key is EIGRP ASN. Do not introduce a static route. Configure DMVPN connectivity between routers BR1 and BR2 to the HUB router using physical interface as the tunnel source to achieve these goals:
1. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR1.
2. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR2.
3. Ensure that packet fragmentation is done before encryption to account for GRE and IPsec header and allow a maximum TCP segment size of 1360 on an IP MTU of 1400 on the tunnel interfaces of both branch routers.
4. Apply an IPsec profile to the tunnel. Verify that direct spoke-to-spoke tunnel is functional between branch routers BR1 and BR2 by using traceroute to Ethernet 0/0 IP address to get a full score.
### Solution
**BR1**
conf t
Interface Tunnel0
IP address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.254
ip nhrp shortcut
delay 1000
tunnel source 10.10.255.1
tunnel mode gre multipoint
tunnel key 100
router eigrp 100
network 10.10.10.1 0.0.0.0
network 192.168.1.0 192.168.1.0 0.0.0.255
wr
**BR2**
conf t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
Interface Tunnel0
IP address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.254
ip nhrp shortcut
delay 1000
tunnel source 10.10.10.2
tunnel mode gre multipoint
tunnel destination 10.10.255.254
tunnel key 100
router eigrp 100
network 10.10.10.2 0.0.0.0
network 192.168.1.0 0.0.0.255
wr
verify -
BR1#traceroute 172.16.2.254
BR1#show dmvpn
alternative answer that I’m not sure would cut it, examtopics fam doesn’t think this one is it
https://www.examtopics.com/discussions/c...iscussion/
https://www.wolf-lab.com/ccie/1462.html
**BR1**
config t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
interface tunnel 0
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp network-id 100
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp nhs 192.168.1.254
ip nhrp holdtime 300
ip nhrp shortcut
tunnel source 10.10.255.1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile ccnp
wr
traceroute 192.168.1.2
show dmvpn
show crypto ipsec sa
**BR2**
config t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
interface tunnel 0
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp network-id 100
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp nhs 192.168.1.254
ip nhrp holdtime 300
ip nhrp shortcut
tunnel source 10.10.255.2
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile ccnp
wr
traceroute 192.168.1.1
show dmvpn
show crypto ipsec sa
---
### DMVPN Phase-II (Verified, varies a lot between tests)
### Tasks
Configure HUB and SPOKE routers according to the topology to achieve these goals:
1. Configure mGRE neighborship to provide end-to-end reachability between Hub and Spokes.
2. Configure NHRP authentication using password "C!$c0123". Use 180 sec hold time for NHRP members where NHS should maintain next hop client NBMA registration messages for 60 sec. Verify configuration with ping from PC1 to PC2 and PC3.
### Solution
**R0**
en
conf t
interface tunnel 0
ip address 10.0.0.254 255.255.255.0
tunnel mode gre multipoint
tunnel source e0/1
ip nhrp network-id 1
ip nhrp authentication C!$c0123
ip nhrp registration timeout 60
ip nhrp holdtime 180
ip nhrp multicast dynamic - (only use this if there’s OSPF/EIGRP/RIP configured)
wr
**R1**
en
conf t
interface tunnel 0
ip address 10.0.0.1 255.255.255.0
tunnel source e0/1
ip nhrp network-id 1
tunnel mode gre multipoint
ip nhrp map 10.0.0.254 10.10.255.254
ip nhrp nhs 10.0.0.254
ip nhrp authentication C!Sco123
ip nhrp registration timeout 60
ip nhrp holdtime 180
ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured)
wr
**R2**
en
conf t
interface tunnel 0
ip address 10.0.0.2 255.255.255.0
tunnel source e0/1
ip nhrp network-id 1
tunnel mode gre multipoint
ip nhrp map 10.0.0.254 10.10.255.254
ip nhrp nhs 10.0.0.254
ip nhrp authentication C!Sco123
ip registration timeout 60
ip nhrp holdtime 180
ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured)
wr
---
### IPSEC #1 (Kinda Verified Solution)
### Tasks
Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.
1. Configure the ISAKMP policy parameters with the following attributes:
AES128
MD5
Group2
lifetime 86400
2. Ensure that GRE IP Header should not be encrypted inside the IPSec packet.
3. Configure a flexible ISAKMP Policy to add peers that have the dynamic IP addresses. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'T-SET-PROFILE'. Use ISAKMP key "abc123". Verify configuration with Ping from PC1 to PC2 and PC3.
### Starting Configs
### **Solution**
**R0/R1/R2**
en
conf t
crypto isakmp policy 10
encrypt aes 128
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set T-SET esp-aes128 esp-md5-hmac
crypto ipsec profile T-SET-PROFILE
set transform-set T-SET
interface tunnel 0
tunnel source e0/0
tunnel protection ipsec profile T-SET-PROFILE
wr
### Verification
show crypto isakmp sa
show crypto ipsec sa
---
### IPSEC #2 (Kinda Verified Solution)
### Tasks
Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.
1. Configure the ISAKMP policy parameters with the following attributes:
AES256
SHA256
Group 2
lifetime 86400
2. Ensure that GRE IP Header should be encrypted inside the IPSec packet. Verify IPSec security association and ISAKMP encrypted key. Use ISAKMP key "abc123".
3. Configure a flexible ISAKMP Policy on the HUB to add peers that have the dynamic IP & addresses where SPOKES must add HUB IP static entry using an encrypted key. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'IPSEC-PROFILE'.
### Solution
**R0/R1/R2**
en
conf t
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 2
lifetime 86400
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set T-SET esp-aes256 esp-sha256-hmac
crypto ipsec profile IPSEC-PROFILE
set transform-set T-SET
int tunnel 0
tunnel source e0/0
tunnel protection ipsec profile IPSEC-PROFILE
wr
### Verification
show crypto isakmp sa
show crypto ipsec sa
---
### Timestamps/SNMP Config (Verified Solution)
### Tasks
Troubleshoot R-WEST to achieve the desired results:
1. The locally generated logs should have sequence numbers, date and time.
2. The SNMP related to OSPF and participating interface state changes utilizing RFC1253-MIB OSPFv2 should be sent to SNMP server.
### Solution:
**R-WEST**
en
conf t
service sequence-numbers
service timestamps log datetime msec
snmp-server enable traps ospf state-change
wr
---
**Ranking of Labs by Difficulty:**
- **Timestamps/SNMP Config (Lab 8)**
- **Reason:** This lab involves minimal configuration changes—only about 3-4 commands. You enable sequence numbers and timestamps for logs and configure SNMP traps for OSPF state changes.
- **Archive Logging/SNMP Config (Lab 9)**
- **Reason:** Similar to Lab 8, this lab requires a few additional commands (around 5-6). You configure command logging, ensure passwords are hidden, and enable specific SNMP traps.
- **AAA & ACL Lab (Lab 14)**
- **Reason:** This lab involves troubleshooting AAA and ACL configurations on SW2 and the East router. It requires about 8-10 commands to fix access lists and authentication methods.
- **OSPF Troubleshooting (Lab 3)**
- **Reason:** With approximately 10-12 commands, you adjust OSPF priorities, configure link authentication, and make minor tweaks to achieve the desired routing behavior.
- **CoPP (Control Plane Policing) (Lab 1)**
- **Reason:** This lab requires creating multiple access lists and class maps, amounting to around 15-20 commands. You're setting up policies to protect the router's control plane.
- **EIGRP Route Manipulation #1 (Lab 10)**
- **Reason:** Involves configuring route maps and adjusting EIGRP metrics, totaling about 20 commands. You manipulate routing paths without using static routes or policy-based routing.
- **EIGRP Route Manipulation #2 (Lab 11)**
- **Reason:** Similar in complexity to Lab 10, with slight variations in the tasks. It also requires around 20 commands focused on route manipulation in EIGRP.
- **EIGRP Route Manipulation #3 (Lab 12)**
- **Reason:** Slightly more complex than the previous EIGRP labs due to additional requirements like adjusting RIP distances and redistributing between protocols. Around 25 commands are needed.
- **IPSec #1 (Lab 6)**
- **Reason:** You configure IPSec policies on multiple routers, including ISAKMP policies and crypto profiles, totaling approximately 30 commands.
- **IPSec #2 (Lab 7)**
- **Reason:** Similar to Lab 6 but with different encryption standards and additional requirements like encrypting the GRE IP header. Around 30 commands are involved.
- **DMVPN (Lab 4)**
- **Reason:** Configuring DMVPN with NHRP, IPsec profiles, and spoke-to-spoke tunnels requires about 30-35 commands across the routers involved.
- **DMVPN Phase-II (Lab 5)**
- **Reason:** This lab builds upon basic DMVPN configurations with added complexities like NHRP authentication and hold times. It involves around 40-45 commands.
- **VRFs (Lab 2)**
- **Reason:** Configuring VRFs, interfaces, and BGP across multiple routers is complex and command-intensive, requiring approximately 50 commands. It involves detailed configurations for separate routing tables and BGP instances.
- **BGP Troubleshooting (Lab 13)**
- **Reason:** This lab is the most complex due to intricate BGP configurations, route manipulations using attributes like local preference, and summarization. It requires deep understanding and around 40-50 commands to resolve issues across multiple routers.
I used this site to study 300 questions a day until I got 90% or better on my exam.
I also used a usb capture card and a second laptop mounted under the table with a 3d print to record my screen for post-game review.
I've taken the exam twice (780 score on the first try!), and here were the labs they gave me:
-
First exam:
- EIGRP Route Manipulation #3
- AAA & IP Troubleshooting Lab
- IPSec Config SIM
- EIGRP #2
Second exam:
- VRF
- DMVPN
- EIGRP #2
My labs are below. I put these in Claude.ai and ChatGPT and told it to quiz me. I'll reply in a comment with my ChatGPT prompt for reference.
Part 1 is here, part 2 is in a comment. Copy both parts for your notes.
CORRECTED ENARSI LABS PART 1:
### CoPP (Verified/Labbed Solution)
### Tasks
A network is configured with CoPP to protect the CORE router route processor for stability and DDoS protection. As a company policy, a class named class-default is preconfigured and must not be modified or deleted. Troubleshoot CoPP to resolve the issues introduced during the maintenance window to ensure that:
1. Dynamic routing policies are under CoPP-CRITICAL and are allowed only from the 10.10.X.X range.
2. Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1).
3. All devices ping (UDP) any CORE router interface successfully to/from the 10.10.X.X range and do not allow any other IP address.
4. All devices run a successful traceroute (UDP) to any interface on the CORE router to/from the 10.10.X.X range, are under CoPP-NORMAL, and do not allow any other IP address (make sure default traceroute TTL is accounted for). The traceroute is to be under CoPP-NORMAL (Hint: Traceroute port range 33434-33464).
### Solution
**CORE**
~~~~ip access-list extended COPP-CRITICAL
permit eigrp 10.10.0.0 0.0.255.255 any
permit eigrp any 10.10.0.0 0.0.255.255
permit ip 224.0.0.10 10.10.0.0 any
permit ip any host 224.0.0.10
ip access-list extended IMPORTANT
permit tcp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 22 telnet
permit tcp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 22 telnet
permit icmp 10.10.0.0 0.0.255.255 host 10.10.1.1
permit icmp host 10.10.1.1 10.10.0.0 0.0.255.255
permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1
permit udp host 10.10.1.1 10.10.0.0 0.0.255.255
ip access-list extended COPP-NORMAL
permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 33434 33464
permit udp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 33434 33464
---
### VRFs (Verified/Labbed Solution)
### Tasks
![sim-vrf-topology.png](https://prod-files-secure.s3.us-west-2.a...pology.png)
Configure individual VRFs for each customer according to the topology to achieve these goals:
1. VRF "cu-red" has interfaces on routers R1 and R2. Both routers are preconfigured with IP addressing, VRFs and BGP. Do not use the BGP network statement for advertisement.
2. VRF "cu-green" has interfaces on routers R1 and R2.
3. BGP on router R1 populates VRF routes between router R1 and R2.
4. BGP on router R2 populates VRF routes between router R1 and R2.
5. LAN to LAN is reachable between SW1 and SW3 for VRF "cu-red" and between SW2 and SW4 for VRF "cu-green". All switches are preconfigured.
### Solution
**R1**
conf t
vrf definition cu-red
rd 65000:100
address-family ipv4 unicast
vrf definition cu-green
rd 65000:200
address-family ipv4 unicast
interface e0/0
vrf forwarding cu-red
ip address 192.168.1.254 255.255.255.0
no shut
interface e0/1
vrf forwarding cu-green
ip address 192.168.20.254 255.255.255.0
no shut
interface e0/2
no shut
interface e0/2.100
vrf forwarding cu-red
ip address 10.10.10.1 255.255.255.252
no shut
interface e0/2.200
vrf forwarding cu-green
ip address 10.10.20.1 255.255.255.252
no shut
router bgp 65000
bgp router-id 1.1.1.1
address-family ipv4 vrf cu-red
neighbor 10.10.10.2 remote-as 65000
redistribute connected
exit-address-family
address-family ipv4 vrf cu-green
neighbor 10.10.20.2 remote-as 65000
redistribute connected
exit-address-family
wr
**R2**
conf t
vrf definition cu-red
rd 65000:100
address-family ipv4 unicast
vrf definition cu-green
rd 65000:200
address-family ipv4 unicast
interface e0/0
vrf forwarding cu-red
ip address 192.168.2.254 255.255.255.0
no shut
interface e0/1
vrf forwarding cu-green
ip address 192.168.22.254 255.255.255.0
no shut
interface e0/2
no shut
interface e0/2.100
vrf forwarding cu-red
ip address 10.10.10.2 255.255.255.252
no shut
interface e0/2.200
vrf forwarding cu-green
ip address 10.10.20.2 255.255.255.252
no shut
router bgp 65000
bgp router-id 2.2.2.2
address-family ipv4 vrf cu-red
neighbor 10.10.10.1 remote-as 65000
redistribute connected
address-family ipv4 vrf cu-green
neighbor 10.10.20.1 remote-as 65000
redistribute connected
wr
---
### OSPF (Mostly Verified Solution)
### Tasks
A network is configured with IP connectivity, and the routing protocol between devices started having problems right after the maintenance window to implement network changes. Troubleshoot and resolve to a fully functional network to ensure that:
1. Inter-area links have link authentication (not area authentication) using MD5 with the key 1 string CCNP.
2. R3 is a DR regardless of R2 status while R1 and R2 establish a DR/BDR relationship.
3. OSPF uses the default cost on all interfaces. Network reachability must follow OSPF default behavior for traffic within an area over intra-area VS inter-area links.
4. The OSPF external route generated on R4 adds link cost when traversing through the network to reach R2. A network command to advertise routes is not allowed.
### Solution
**R2**
conf t
interface e0/1
ip ospf priority 0
wr
**R4**
conf t
interface e0/0
ip ospf message-digest-key 1 md5 CCNP
ip ospf authentication message-digest
router ospf 1
redistribute connected metric-type 1
wr
**R5**
conf t
int e0/0
ip ospf message-digest-key 1 md5 CCNP
ip ospf authentication message-digest
interface e0/1
no ip ospf cost 60
wr
---
### DMVPN (Mostly Verified Solution)
### Tasks
A DMVPN network is preconfigured with tunnel 0 IP address 192.168.1.254 on the HUB, IP connectivity, crypto policies, profiles, and EIGRP AS 100. The NHRP password is cсnp123, and the network ID and tunnel key is EIGRP ASN. Do not introduce a static route. Configure DMVPN connectivity between routers BR1 and BR2 to the HUB router using physical interface as the tunnel source to achieve these goals:
1. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR1.
2. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR2.
3. Ensure that packet fragmentation is done before encryption to account for GRE and IPsec header and allow a maximum TCP segment size of 1360 on an IP MTU of 1400 on the tunnel interfaces of both branch routers.
4. Apply an IPsec profile to the tunnel. Verify that direct spoke-to-spoke tunnel is functional between branch routers BR1 and BR2 by using traceroute to Ethernet 0/0 IP address to get a full score.
### Solution
**BR1**
conf t
Interface Tunnel0
IP address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.254
ip nhrp shortcut
delay 1000
tunnel source 10.10.255.1
tunnel mode gre multipoint
tunnel key 100
router eigrp 100
network 10.10.10.1 0.0.0.0
network 192.168.1.0 192.168.1.0 0.0.0.255
wr
**BR2**
conf t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
Interface Tunnel0
IP address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.254
ip nhrp shortcut
delay 1000
tunnel source 10.10.10.2
tunnel mode gre multipoint
tunnel destination 10.10.255.254
tunnel key 100
router eigrp 100
network 10.10.10.2 0.0.0.0
network 192.168.1.0 0.0.0.255
wr
verify -
BR1#traceroute 172.16.2.254
BR1#show dmvpn
alternative answer that I’m not sure would cut it, examtopics fam doesn’t think this one is it
https://www.examtopics.com/discussions/c...iscussion/
https://www.wolf-lab.com/ccie/1462.html
**BR1**
config t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
interface tunnel 0
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp network-id 100
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp nhs 192.168.1.254
ip nhrp holdtime 300
ip nhrp shortcut
tunnel source 10.10.255.1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile ccnp
wr
traceroute 192.168.1.2
show dmvpn
show crypto ipsec sa
**BR2**
config t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
interface tunnel 0
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp network-id 100
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp nhs 192.168.1.254
ip nhrp holdtime 300
ip nhrp shortcut
tunnel source 10.10.255.2
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile ccnp
wr
traceroute 192.168.1.1
show dmvpn
show crypto ipsec sa
---
### DMVPN Phase-II (Verified, varies a lot between tests)
### Tasks
Configure HUB and SPOKE routers according to the topology to achieve these goals:
1. Configure mGRE neighborship to provide end-to-end reachability between Hub and Spokes.
2. Configure NHRP authentication using password "C!$c0123". Use 180 sec hold time for NHRP members where NHS should maintain next hop client NBMA registration messages for 60 sec. Verify configuration with ping from PC1 to PC2 and PC3.
### Solution
**R0**
en
conf t
interface tunnel 0
ip address 10.0.0.254 255.255.255.0
tunnel mode gre multipoint
tunnel source e0/1
ip nhrp network-id 1
ip nhrp authentication C!$c0123
ip nhrp registration timeout 60
ip nhrp holdtime 180
ip nhrp multicast dynamic - (only use this if there’s OSPF/EIGRP/RIP configured)
wr
**R1**
en
conf t
interface tunnel 0
ip address 10.0.0.1 255.255.255.0
tunnel source e0/1
ip nhrp network-id 1
tunnel mode gre multipoint
ip nhrp map 10.0.0.254 10.10.255.254
ip nhrp nhs 10.0.0.254
ip nhrp authentication C!Sco123
ip nhrp registration timeout 60
ip nhrp holdtime 180
ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured)
wr
**R2**
en
conf t
interface tunnel 0
ip address 10.0.0.2 255.255.255.0
tunnel source e0/1
ip nhrp network-id 1
tunnel mode gre multipoint
ip nhrp map 10.0.0.254 10.10.255.254
ip nhrp nhs 10.0.0.254
ip nhrp authentication C!Sco123
ip registration timeout 60
ip nhrp holdtime 180
ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured)
wr
---
### IPSEC #1 (Kinda Verified Solution)
### Tasks
Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.
1. Configure the ISAKMP policy parameters with the following attributes:
AES128
MD5
Group2
lifetime 86400
2. Ensure that GRE IP Header should not be encrypted inside the IPSec packet.
3. Configure a flexible ISAKMP Policy to add peers that have the dynamic IP addresses. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'T-SET-PROFILE'. Use ISAKMP key "abc123". Verify configuration with Ping from PC1 to PC2 and PC3.
### Starting Configs
### **Solution**
**R0/R1/R2**
en
conf t
crypto isakmp policy 10
encrypt aes 128
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set T-SET esp-aes128 esp-md5-hmac
crypto ipsec profile T-SET-PROFILE
set transform-set T-SET
interface tunnel 0
tunnel source e0/0
tunnel protection ipsec profile T-SET-PROFILE
wr
### Verification
show crypto isakmp sa
show crypto ipsec sa
---
### IPSEC #2 (Kinda Verified Solution)
### Tasks
Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.
1. Configure the ISAKMP policy parameters with the following attributes:
AES256
SHA256
Group 2
lifetime 86400
2. Ensure that GRE IP Header should be encrypted inside the IPSec packet. Verify IPSec security association and ISAKMP encrypted key. Use ISAKMP key "abc123".
3. Configure a flexible ISAKMP Policy on the HUB to add peers that have the dynamic IP & addresses where SPOKES must add HUB IP static entry using an encrypted key. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'IPSEC-PROFILE'.
### Solution
**R0/R1/R2**
en
conf t
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 2
lifetime 86400
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set T-SET esp-aes256 esp-sha256-hmac
crypto ipsec profile IPSEC-PROFILE
set transform-set T-SET
int tunnel 0
tunnel source e0/0
tunnel protection ipsec profile IPSEC-PROFILE
wr
### Verification
show crypto isakmp sa
show crypto ipsec sa
---
### Timestamps/SNMP Config (Verified Solution)
### Tasks
Troubleshoot R-WEST to achieve the desired results:
1. The locally generated logs should have sequence numbers, date and time.
2. The SNMP related to OSPF and participating interface state changes utilizing RFC1253-MIB OSPFv2 should be sent to SNMP server.
### Solution:
**R-WEST**
en
conf t
service sequence-numbers
service timestamps log datetime msec
snmp-server enable traps ospf state-change
wr
---
**Ranking of Labs by Difficulty:**
- **Timestamps/SNMP Config (Lab 8)**
- **Reason:** This lab involves minimal configuration changes—only about 3-4 commands. You enable sequence numbers and timestamps for logs and configure SNMP traps for OSPF state changes.
- **Archive Logging/SNMP Config (Lab 9)**
- **Reason:** Similar to Lab 8, this lab requires a few additional commands (around 5-6). You configure command logging, ensure passwords are hidden, and enable specific SNMP traps.
- **AAA & ACL Lab (Lab 14)**
- **Reason:** This lab involves troubleshooting AAA and ACL configurations on SW2 and the East router. It requires about 8-10 commands to fix access lists and authentication methods.
- **OSPF Troubleshooting (Lab 3)**
- **Reason:** With approximately 10-12 commands, you adjust OSPF priorities, configure link authentication, and make minor tweaks to achieve the desired routing behavior.
- **CoPP (Control Plane Policing) (Lab 1)**
- **Reason:** This lab requires creating multiple access lists and class maps, amounting to around 15-20 commands. You're setting up policies to protect the router's control plane.
- **EIGRP Route Manipulation #1 (Lab 10)**
- **Reason:** Involves configuring route maps and adjusting EIGRP metrics, totaling about 20 commands. You manipulate routing paths without using static routes or policy-based routing.
- **EIGRP Route Manipulation #2 (Lab 11)**
- **Reason:** Similar in complexity to Lab 10, with slight variations in the tasks. It also requires around 20 commands focused on route manipulation in EIGRP.
- **EIGRP Route Manipulation #3 (Lab 12)**
- **Reason:** Slightly more complex than the previous EIGRP labs due to additional requirements like adjusting RIP distances and redistributing between protocols. Around 25 commands are needed.
- **IPSec #1 (Lab 6)**
- **Reason:** You configure IPSec policies on multiple routers, including ISAKMP policies and crypto profiles, totaling approximately 30 commands.
- **IPSec #2 (Lab 7)**
- **Reason:** Similar to Lab 6 but with different encryption standards and additional requirements like encrypting the GRE IP header. Around 30 commands are involved.
- **DMVPN (Lab 4)**
- **Reason:** Configuring DMVPN with NHRP, IPsec profiles, and spoke-to-spoke tunnels requires about 30-35 commands across the routers involved.
- **DMVPN Phase-II (Lab 5)**
- **Reason:** This lab builds upon basic DMVPN configurations with added complexities like NHRP authentication and hold times. It involves around 40-45 commands.
- **VRFs (Lab 2)**
- **Reason:** Configuring VRFs, interfaces, and BGP across multiple routers is complex and command-intensive, requiring approximately 50 commands. It involves detailed configurations for separate routing tables and BGP instances.
- **BGP Troubleshooting (Lab 13)**
- **Reason:** This lab is the most complex due to intricate BGP configurations, route manipulations using attributes like local preference, and summarization. It requires deep understanding and around 40-50 commands to resolve issues across multiple routers.